1. Filed of the Invention
The invention relates to computer security. More particularly, the invention relates to a trusted communication channel to combat user name/password theft.
2. Discussion of the Prior Art
Malicious individuals employ various schemes to steal user name and password pairs from real users in the computer system. A common scenario for such theft is to “spoof” an official page of a system and lure a user into entering a user name and password into the system. The attacker then logs in and changes the compromised password to preclude use thereof by the true user, and ensure completion of the theft. In some cases, the attacker must immediately use the stolen password, for example where there is a time sensitive component, such as a Secure ID component.
FIG. 1 is a schematic flow diagram that shows a user 10 logged in to a system 12 (as indicated by numeric designator (1)). A malicious individual 18 generates a message 14, for example indicating to the user 10 that they might win a corporate incentive and that details with regard to the incentive are provided at a website, e.g. “go to xyz.” The message is provided to the user 10 as indicated on FIG. 1 by the numeric designator (2).
The user follows the link, as indicated on FIG. 1 by the numeric designator (3). At the end of the link, there is a page 16 which the user had been lead to believe is within the company system, i.e. which is a trusted page, but which is in fact an outside, i.e. untrusted, page. The user is asked to type in the user name and/or password to verify that they are entitled to receive the reward promised at the site. Unwittingly, the user enters this information and the malicious individual is thereafter able to capture the user's name and password, as indicated on FIG. 1 by the numeric designator (4). Thereafter, the malicious individual can log into the system, change the user's password, and steal information from the account. This is indicated on FIG. 1 by the numeric designator (5).
It would be advantageous to provide a technique for using a trusted communication channel to combat user name/password theft.